iPhone Security Flaw in PKI handling exploited by hackers

Enterprise business could be vulnerable to malicious code

The iPhone isn’t everyone’s cup of tea, but it’s certainly big enough to take its place alongside the iPod as a cultural phenomenon. I have one, and I know numerous other owners. Some go so far as to jailbreak the phone to open up certain features that Apple has intentionally disabled. They certainly do not support users doing this, but that hasn’t stopped thousands from using the OS exploit to mod their phone in new, exciting ways. I’ve been tempted, but I value my warranty. I may skirt the need for payday loans to keep my iPhone habit going at times, but so far I’ve been able to keep things under control.

But I’m not a business trying to get a fleet of iPhones synched

They have something new to worry about these days, according to Greg Kumparak of MobileCrunch. There is a new iPhone hack involving PKI handling. Kumparak points those concerned to the full details of the iPhone exploit on the blog Cryptopath. In essence, what’s happening is that the iPhone will accept settings configuration files via an over-the-air connection. Businesses use this feature to set up multiple iPhones at one time, and jailbroken phones use this method for tethering.

Typically a message pops up regarding where the files are coming from and asks the user to allow/install or deny. The iPhone hack enables hackers and other malicious types make the configuration file “report back as Verified,” writes Kumparak. They also say they’re coming from “Apple Computer.” Sounds like a trusted source, right?

Yet it definitely is not legit

Once malware is installed on an iPhone, it can change the user’s proxy settings and direct all traffic from that phone through any server the hacker chooses. That could expose your iPhone to even more trouble, including the shutdown of E-mail, Safari or most any App that requires a Web connection. The damage can run so deep that the only way to recover is to completely reformate the phone to factory settings. Thus, you could lose countless photos and other files.

Patch the problem, don’t nerf the whole process

Being able to configure a fleet of iPhones for business quickly is vitally important for IT employees. Thus, throttling the entire configuration process because of this iPhone hack would require a great deal more man hours. American business is under the gun enough as it is; productive hours are what we need. Time well spent generally equals greater profits, whether you’re a payday loans company or the greatest widget-maker on the block. The moral of the story here is don’t click “Install” if you aren’t absolutely sure everything is legitimate.